Business and Consumer Tips - 1.2 Gone Phishing

Posted by Rachael Falk on 11 July 2017

Operating online can open up a world of opportunities for businesses and individuals. But it can also open up users to a world of risk. auDA’s Director Technology, Security and Strategy Rachael Falk discusses one of the most common methods criminals use to steal sensitive personal and business information: phishing.

A phishing email (or sometimes a SMS or instant message) is a message purporting to be from a usually large, trustworthy organisation or government department. These emails or messages often invite you to open a link or attachment that will either lead you to a malicious website or install malicious software — malware — on your device.

When you click on the link, and it goes to a malicious website, it may be designed to look as genuine and innocuous as the real website. However, it will encourage you to enter confidential details like name or password or date of birth, which may be captured and sent to the scammers.

Phishing emails all have one thing in common: they ask you to click on a link or attachment.

Authorities and cyber experts have been warning internet users about phishing scams for many years — we first saw them in Australia in 2003 — but an ever-increasing level of sophistication on the part of cyber criminals means internet users need to stay alert.

While some phishing scams are still unsophisticated, replete with spelling errors and incorrectly formatted graphics, many of today’s phishing messages can look every bit as convincing as legitimate emails. Even expert computer users having difficulty discriminating between scams and the real thing.

In an effort to gain the trust of unsuspecting victims, phishing emails will often purport to be from some of Australia’s largest and most recognised names, such as banks. The most effective phishing emails or messages use similar language and graphics to what you’d expect the real deal to look like and, according to the ACCC, have cost Australians more than $260,000 in 2017 alone.

While phishing is one of the most widespread cybercrimes, it’s also one of the easiest to thwart.

At its simplest, don’t click on links in unexpected emails or messages. For even better security, don’t click on any links in any emails. Instead, go directly to the sender’s website in a browser and log in to view any details that way.

While avoiding clicking links in emails can protect you from phishing scams, it is unfortunately inconvenient in practice. One way around this is to check the URL of links in emails before clicking on them. If, for instance, you receive an email purporting from XYZ Bank, it would be reasonable to expect any links in the email to link to xyzbank.com.au. If the links do not, it does not necessarily indicate that the email is a phishing email — organisations have many reasons to use domains other than their own main domain — but it would be worth visiting XYZ Bank’s website directly, or if clicking through the link, not entering any personal details on the resulting page.

If you are in any doubt about the veracity of an email you have received, the simplest action is no action: don’t click on any links and either visit the genuine website of the business or contact the business directly. While there isn’t any single indicator of a phishing email, a glance at the email, the sender and any links may raise red flags that the email is malicious. Interacting online need not be inherently unsafe and following these simple steps, you can ensure you have safe and productive interactions online.